fix(ci): install pip into the uv venv so pip-audit can introspect it#120
Conversation
First post-merge pip-audit run failed with:
/home/runner/.../.venv/bin/python: No module named pip
uv sync creates a venv without pip (uv has its own resolver), but
pip-audit shells out to pip to enumerate installed packages. Adding
`uv pip install pip` after the sync seeds it.
Confirmed `continue-on-error: true` does mark the job as failed even
though it doesn't gate the workflow — leaving that intact since the
intent is "surface CVEs visibly, not block."
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Code ReviewOverall: LGTM — correct, minimal, well-explained fix. What this does
Strengths
One Alternative Worth KnowingA slightly more uv-idiomatic approach would be to export a requirements file and pass it directly to the action instead of installing pip: - name: Export lockfile for audit
run: uv export --format=requirements-txt --no-dev > requirements-audit.txt
- name: Run pip-audit
uses: pypa/gh-action-pip-audit@1220774d901786e6f652ae159f7b6bc8fea6d266 # v1.1.0
with:
inputs: requirements-audit.txtThis avoids the pip install entirely and audits the locked deps rather than the installed environment. The tradeoff: it audits the lockfile, not the realized venv, so any install-time resolution differences would be missed. For this project's use case that's a negligible difference. Not a blocker — the current approach is simpler and correct. Just flagging it for future consideration. Minor Notes
Ready to merge once CI passes. |
Summary
First post-merge
pip-auditrun on main failed:uv synccreates a venv withoutpip(uv has its own resolver), butpip-auditshells out topipto enumerate installed packages. Addeduv pip install pipafter the sync to seed it.Kept
continue-on-error: trueon the audit job (non-blocking by design until the noise floor is established).Failing run: https://github.com/TexasCoding/kalshi-python-sdk/actions/runs/25990783709
Test plan